Lidl Logo

Privacy Protection

DATA PROTECTION

DATA PROTECTION IS IMPORTANT TO US

Privacy policy for info.lidl:

Thank you for your interest in data protection at Lidl Stiftung & Co. KG (hereinafter "Lidl"). We at Lidl want you to feel comfortable and safe when you visit our website, and to know that one of the things that sets us apart is our commitment to protecting our customers' data. The following data protection notice is designed to inform you about how and to what extent your personal data is processed when you visit the website info.lidl. Personal data is information that identifies you or could identify you directly or indirectly. The statutory basis for data protection is, in particular, the EU General Data Protection Regulation (GDPR).

I.  Lidl corporate website (info.lidl)

TABLE OF CONTENTS

1.    Overview
2.    Accessing our website
3.    Online presence
4.    Customer service

 
1.    Overview

Data processing by Lidl Stiftung & Co. KG starts when the website is accessed. Various information is exchanged between your end device and our server. This may also involve personal data. The information collected in this way is used to optimize our website.

2.    Accessing our website

Purposes of the processing/legal bases:

When accessing our website, the browser used on your end device will – automatically and without any action on your part – send

  • the IP address of the accessing Internet-enabled device;
  • the date and time of access;
  • the name and URL of the requested file;
  • the website/application from which the access occurred (referrer URL);
  • the browser and, where relevant, the operating system of your Internet-enabled computer as well as the name of your access provider

to our website server and be stored temporarily in what is known as a log-file for the following purposes:

 

  • to ensure a fault-free connection;
  • to ensure the comfortable use of our website/application,
  • to analyze system security and stability.

The legal basis for the processing of the data listed is Article 6(1)(f) GDPR. The purposes of data processing listed above constitute our legitimate interest.

Recipients/categories of recipient:

Schwarz IT GmbH & Co. KG has access to the data for the purpose of hosting the system.
Storage time/criteria for determining storage time:

Data will be stored for a period of seven days and automatically deleted thereafter.

3.1    Cookies – general information

Purposes of processing and legal basis:

Cookies are small text files that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our websites. Cookies do not cause any harm to your end device, nor do they contain any viruses, trojans or other malware. The cookie stores certain information that results in connection with the specific end device deployed. This does not, however, mean that we will immediately become aware of your identity.

Cookies used to process usage data are deployed for the following purposes, depending on the categories of cookie:

 

  • Technically necessary: These are cookies that are necessary for you to use our services (for example to correctly display our website/the functions you request, to record you signing in so that you can fill your shopping cart when making online purchases, etc.).
  • Preferences: Using these methods, we can take into account your actual or perceived preferences to enhance the user experience. For example, we can use your settings to display our websites in a language relevant to you. They also mean we can avoid displaying products that may not be available in your region.
  • Statistics: These methods enable us to tailor the design of our services by producing anonymized statistics about how they are used. For example, we can use them to determine how better to adapt our websites to user habits.
  • Marketing: These enable us to display relevant advertising content based on an analysis of your usage behavior. Your usage behavior can also be tracked over various websites, browsers or devices via a user ID (unique identifier).

Depending on the purpose, the use of cookies to process usage data involves processing the following types of personal data in particular:

Technically necessary:

  • Optimizing response times by distributing traffic on the website among multiple servers.
  • User inputs to store the user's consent status for the current domain (e.g., cookie consent).

Preferences:

  • Settings to customize the user interface that are not linked to a permanent identifier (e.g., selecting a preferred language).

Statistics:

  • Pseudonymized usage profiles containing information on the use of our websites. These contain in particular:
    • browser type/browser version;
    • operating system used;
    • referrer URL (i.e., the previously visited page);
    • host name of the accessing computer (IP address);
    • time of the server request;
    • events triggered on the websites (web browsing behavior).   
  • The IP address is routinely anonymized, which in principle means it is no longer possible to identify you.

Marketing:

  • Pseudonymized usage profiles containing information on the use of our websites. These contain in particular:
    • IP address;
    • device used;
    • events triggered on the websites (web browsing behavior).  
  • IP addresses are routinely anonymized, which in principle means it is no longer possible to identify you.

The legal basis for using preference, statistical and marketing cookies is your consent given pursuant to Article 6(1)(a) GDPR. The legal basis for using technical cookies is Article 6(1)(b) GDPR to the extent your data are required in order to provide our services as part of initiating and performing the contract; otherwise it is Article 6(1)(f) GDPR, whereby our legitimate interest lies in providing our services.

You may also configure your browser to ensure that a warning appears every time a new cookie is placed. This makes the use of cookies more transparent for you. You can also use your browser settings to delete cookies at any time and block new ones from being placed. Please note that if you do so, this may prevent our websites from being displayed or may render certain functions inoperative.

The data processing based on your consent is presented in greater detail in section 3.2 of this privacy policy, which lays out the potential recipients of your data as well as special provider-related opportunities to withdraw your consent.

You may withdraw your consent at any time with effect for the future without this affecting the lawfulness of the processing based on consent before its withdrawal. Click here to make your selection. Simply uncheck the respective box to withdraw your consent for the given data processing purpose.

Recipients/categories of recipient:

When using cookies to process usage data, we may on occasion retain specialized service providers, particularly from the field of online marketing, to process data. They process your data on our behalf as processors. Each has been carefully selected and bound by contract in accordance with Article 28 GDPR. All of the companies listed as service providers in our cookie policy act as processors on our behalf, to the extent they are not named as (joint) controllers at the beginning of this section.

As part of our cooperation with Google LLC, the above mentioned data is usually also processed on servers in the USA for statistical and marketing purposes.

Storage time/criteria for determining storage time:

For information on the duration of storage for cookies, see our cookie policy. If "persistent" is entered in the "expiration" column, the cookie will be stored permanently until the corresponding consent is withdrawn. "Session" cookies are deleted when you close your browser.

3.2 Opportunities to withdraw your consent/opt out

In addition to the options referred to in section 3, you can also prevent the targeting technologies specified section 3 by changing your browser settings, e.g., to refuse some or all cookies. However, please be advised that doing so may prevent you from using all the functions of this website.
You can also use a "preference manager" to prevent personalized behavioral advertising.

4. Customer service

Purposes of the processing/legal bases:

We treat all personal data which you provide us with on the contact form, by telephone, e-mail or via social media confidentially. We use your data solely for the limited purpose of processing your request. The legal basis for the data processing is Article 6(1)(f) and Article 6(1)(b) GDPR. Our shared (legitimate) interest in this data processing arises from the objective of answering any inquiries and resolving any issues you may have and thus ensuring and improving your level of satisfaction as a customer or other user of our website.

If you participate in our customer survey, you do so on a purely voluntary basis. In conducting these anonymous surveys, no information is stored that can be used to identify respondents. Only the date and time of your participation will be stored. All personal data that you provide when responding to our survey will be regarded as provided voluntarily and stored in accordance with the GDPR. Please refrain from entering names or other information in the text fields that could be used to identify you or other persons. In the event that consent is given in the context of a customer survey, Article 6(1)(a) GDPR is the legal basis for any data processing carried out on the basis of such consent. Where you have given your consent in the context of a customer survey, you are entitled to withdraw that consent at any time with effect for the future. In this case, further details are governed in the specific privacy policies of the respective customer survey.

Recipients/categories of recipient:

In exceptional cases, we will have a processor in the area of customer service process the data on our behalf. Such processors are carefully selected, audited by us and bound by contract in accordance with Article 28 GDPR.

Where necessary to process your inquiry, the data you provide may be disclosed to Lidl Group companies.

Furthermore, it may be necessary for us to pass on excerpts of your inquiry to contractual partners (e.g., suppliers in the case of product-specific inquiries) for the purpose of processing your inquiry. In these cases your inquiry will be anonymized in advance, meaning that third parties will not be able to identify you. Should it be necessary to pass on your personal data in individual cases, we will notify you in advance and obtain your consent.

The results of our customer surveys are generally used for internal evaluation purposes only. We will not pass on your personal data to third parties unless you have given your explicit consent for this.

Storage time/criteria for determining storage time:

We delete or anonymize all personal data we receive from you when you make inquiries (positive/negative comments or suggestions) via the website or by e-mail no later than 90 days after the final response is sent. Based on experience, we generally do not receive any questions concerning our responses after 90 days. If you assert your rights as a data subject in accordance with section V, your personal data will be stored for three years after the final response in order to document the fact that we provided you with comprehensive information and that the legal requirements have been met.


II.  Journalists, business partners, other third parties

TABLE OF CONTENTS

1.    Overview
2.    General data processing in the case of contractual relationships
3.    Processing of other information


1.    Overview

The following privacy notice applies to you if you contact us, if you enter into contract negotiations with us and/or if there is a contract in place between us and the data of natural persons is processed in that context. It also applies if you are acting as contact person in a business relationship with us and are not personally a party to the contract.

Which data is processed in the individual case depends primarily on the agreed services. As a result, not all of this information will be relevant to you.

The personal data of yours that we collect is primarily obtained directly from you. However, it may also be necessary to process personal data that we obtain from other companies, authorities or other third parties, such as credit agencies, tax offices, home pages and the like. This may include personal data that we obtain through our whistleblower channels about potential compliance violations or in the context of compliance investigations.

Relevant personal data may include: personal details (e.g., first/last name, address and other contact details, date and place of birth, nationality), identification and authentication data (e.g., commercial register excerpts, I.D. data, specimen signature), your company and your position, job role and department at the company, your supervisor, and data within the scope of our business relationship (e.g., order data).

You may elect to communicate with us by e-mail or mail. For technical reasons, e-mail communications may be unencrypted.

 

2.    General data processing in the case of contractual relationships

Purposes of the processing/legal basis:

For the performance of contractual obligations (Article 6(1)(b) GDPR)

The purposes of processing follow from the need to take steps prior to entering into a contract, in advance of a contractual business relationship and to perform obligations under an existing contract.

For compliance with a legal obligation (Article 6(1)(c) GDPR)
The purposes of processing follow from statutory requirements in the individual case. Such legal obligations include, e.g., complying with retention and identification obligations, e.g., in the context of anti-money laundering requirements, tax monitoring and reporting requirements and data processing in the context of requests from authorities.

For the purposes of legitimate interests (Article 6(1)(f) GDPR)

It may be necessary to process the personal data you provide for purposes beyond the actual performance of the contract. Legitimate interests in this case include, in particular, selecting suitable business partners, storing and using the details of contact persons, allocating work products to individual business partners, negotiating with contact partners who are not or will not become direct business partners, issuing invitations to events, identifying and processing potentially damaging e-mails, physical and data access controls, clarifying potential compliance violations and other internal administrative purposes.

Recipients/categories of recipient:

Within our company, access to the data provided by you will be granted to those departments that require such data for the purposes of performing contractual obligations, complying with legal obligations or serving legitimate interests. Processors, authorities or service providers may also be given access to your personal data in the context of contractual relationships and in order to fulfill statutory obligations and safeguard legitimate interests. Their compliance with data protection requirements is ensured by contractual agreement.

In addition, the data may be transferred to Schwarz Group companies for purposes of performing contractual obligations.

Storage time/criteria for determining storage time:

The personal data will be stored for as long as necessary for fulfilling the above-mentioned purposes. Particularly relevant in this context are the statutory retention obligations under the German Commercial Code (Handelsgesetzbuch – HGB) and the German Fiscal Code (Abgabenordnung – AO), which provide for retention periods of up to 12 years. Your communication data processed in the context of press activities (e.g., preparing press releases) is stored on our computer drive and in our communications system for ten years so that we can ensure internal traceability (uniform procedure, response to feedback, ensuring correct reporting).

Obligation to provide data:

Within the scope of our business relationship, you must provide us with the personal data needed to commence, execute and terminate a business relationship and to perform the obligations associated therewith, which we are legally obligated to collect or are entitled to collect on the basis of legitimate interests. Without such data, we would generally not be able to enter into a business relationship with you. Beyond that, you are neither legally nor contractually required to provide us with personal data. If you do not wish to provide us with personal data, this may mean that you cannot use specific services or this website. Your personal data will not be subject to automated decision-making.

Your rights as a data subject

 In accordance with Article 21 GDPR, you have the right to object at any time to the processing of personal data based on Article 6(1)(f) GDPR, without giving any reasons. Please send your objection to: corporate.communications.international@lidl.com.

You can find further information on your rights as a data subject in section "III. Rights of data subjects".

 

3.    Processing of other information

Purpose of the processing/legal basis/source:

 Where applicable to our cooperation, we store other relevant information (e.g., releases, publications, articles) on the basis of Article 6(1)(f) GDPR. Our legitimate interest lies in monitoring how you have used our disclosures and information. We generally obtain your data from publicly available sources, e.g., the website of your media organization, the print version of your publication, other forms of publication and comparable websites or social media.

Recipients/categories of recipient:

Within our company, access to the data provided by you will be granted to those departments that require such data for the purposes of performing contractual obligations, complying with legal obligations or serving legitimate interests.

Storage time/criteria for determining storage time:

The data are stored on our computer drive and in our communication system for ten years for communication purposes and to enable us to monitor use.

III. transmission to recipients in a third country

If we transfer data to recipients in a third country (registered office outside the European Economic Area), you can see this in the information on the recipients/categories of recipients in the description of the respective data processing. In some third countries, the European Commission certifies a data protection standard comparable to the level in the European Economic Area through so-called adequacy decisions. A list of these countries can be found at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html. If no comparable data protection standard exists in a country, we ensure that data protection is sufficiently guaranteed by other measures. This is possible, for example, through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates, or recognized codes of conduct. Please contact our data protection officer (Item 19) if you would like to receive more detailed information.

IV. Rights of data subjects

In addition to the right to withdraw any consent you have granted to us, you have the following additional rights provided the respective statutory conditions are met:

  • right of access to your personal data stored with us pursuant to Article 15 GDPR;
  • right to rectification of inaccurate personal data and the right to have incomplete personal data completed pursuant to Article 16 GDPR;
  • right to erasure of your personal data stored with us pursuant to Article 17 GDPR;
  • right to a restriction of processing of your data pursuant to Article 18 GDPR;
  • right to data portability pursuant to Article 20 GDPR;
  • right to object pursuant to Article 21 GDPR;

 

1.    Right of access pursuant to Article 15 GDPR

Pursuant to Article 15(1) of the GDPR, you have the right to request information, free of charge, on the personal data stored about you. This particularly includes:

  • the purposes for which personal data is being processed;
  • the categories of personal data that are being processed;
  • the recipients or categories of recipient to whom personal data concerning you has been or will be disclosed;
  • the planned duration of the storage of the personal data concerning you or, if it is not possible to give any specific details, the criteria used to determine the storage duration;
  • the existence of a right to rectification or erasure of the personal data concerning you, a right to request from the controller that processing be restricted or a right to object to this processing;
  • the right to lodge a complaint with a supervisory authority;
  • all available information regarding the origin of the data if the personal data is not being collected from the data subject;
  • the existence of any automated decision-making processes including profiling pursuant to Article 22(1) and (4) GDPR and – at least in these cases –meaningful information regarding the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.

If personal data is transferred to a third country or an international organization, you have the right to be notified about appropriate safeguards pursuant Article 46 GDPR in connection with the transfer.


2.    Right to rectification pursuant to Article 16 GDPR

You have the right to request the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.


3.    Right to erasure pursuant to Article 17 DSGVO

You have the right to require us to erase any personal data concerning you without undue delay where one of the following grounds applies:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • you withdraw your consent on which the processing pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR was based and there is no other legal ground for the processing;
  • you object to the processing pursuant to Article 21(1) or (2) GDPR, and in the case of Article 21(1) GDPR there are no overriding legitimate grounds for the processing;
  • the personal data was unlawfully processed;
  • the erasure of personal data is necessary in order to comply with a legal obligation;
  • the personal data was collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

Where we have made the personal data public and are obliged to erase it, taking account of available technology and the cost of implementation we will take reasonable steps to inform any third parties processing your data of the fact that you have requested the erasure by such third parties of any links to, or copies or replications of, such personal data.

 
4.    Right to restriction of processing pursuant to Article 18 GDPR

You have the right to require us to restrict the processing where one of the following applies:

  • you contest the accuracy of the personal data;
  • the processing is unlawful and you request the restriction of the use of the personal data rather than its erasure;
  • the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defense of legal claims or
  • you have objected to the processing pursuant to Article 21(1) GDPR pending verification of whether the legitimate grounds of the controller override those of the data subject.


5.    Right to data portability pursuant to Article 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and you have the right to transmit that data to another controller without hindrance by us, where

  • the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) GDPR and
  • the processing is carried out by automated means.

In exercising your right to data portability you have the right to have the personal data transmitted directly from us to another controller where technically feasible.

 
6.    Right to object pursuant to Article 21 GDPR

 Provided the requirements of Article 21(1) GDPR are met, you may object to the data processing on grounds relating to your particular situation.

The aforementioned general right to object applies to all processing grounds set out in these data protection provisions, which are processed on the basis of Article 6(1)(f) GDPR. In contrast to the specific right to object regarding data processing for promotional purposes, we are only obliged to action such general right to object if you cite grounds of overriding importance, e.g. a possible risk to life or health. In addition you have the option to contact the supervisory authority responsible for Lidl Stiftung & Co. KG or the data protection officer of Lidl Stiftung & Co. KG (see section IV.4).


7.    Right to withdraw

Your consent is given voluntarily. You may withdraw it at any time with prospective effect. Please direct any notices withdrawing consent to: corporate.communications.international@lidl.com. If you withdraw your consent, your Images/Personal Details will be deleted immediately. Any such withdrawal of consent shall not affect the lawfulness of processing prior to receiving the notice of withdrawal.


V. Points of contact and right to lodge complaints

1.    Points of contact in the event of questions or in order to exercise your data protection rights

If you have any questions regarding the website or in order to exercise your rights in the processing of your data (data protection rights) please contact our customer service:
https://www.lidl.de/contact

 
2.    Points of contract for any data protection questions

Should you have any further questions regarding the processing of your data, please contact the company data protection officer of Lidl (see section IV.4).


3.    Right to complain to the data protection supervisory authority

You also have a right to lodge a complaint with the competent data protection supervisory authority at any time. In order to do this you can contact the data protection supervisory authority of the German Land where you have your place of residence or the authority of the Land of Baden-Württemberg as the Land where Lidl Stiftung & Co. KG is headquartered.


4.    Controller and data protection officer

These data protection provisions apply to the processing of data by Lidl Stiftung & Co. KG, Stiftsbergstraße 1, 74167 Neckarsulm, Germany ("Controller") and for the website www.info.lidl. The company data protection officer of Lidl Stiftung & Co. KG can be contacted at the aforementioned address for the attention of the data protection officer or at datenschutz@lidl.com.